Analyzing Security Flaws
Full Blown Cryptography
Your reviewer recommends not 256, 512, 768, but try using 2048-bit security. At RSA/2048 bit key, it will be fun, really fun to hack DevExpress. That would give Danny Su'ed an interesting challenge when he cracks CodeRush or extract DevExpress.NET sources
GeoIP and double-check before downloading AES private key
Your reviewer thinks using GeoIP would be a good idea. Some smelly Delphi vendor who licensed DevExpress.VCL will who sends it to China with same license code should get blocked.
Which leads to part 2. Right now, DevExpress sends a request without checking who is the server, so a HTTPS SOAP call could be spoofed with considerable effort (just edit the binary EXE - "HTTPS" to "HTTP" and then sent without SSL. It would be wise to do a check, like ping/ping to check credentials of the server first before downloading the actual AES key would have much harder time.
For part 3, if someone installs more than 5 or 10 times in 1 day, it's time to flag that account as need "review". For obvious reasons.
DXIF with AES, with multiple passwords
Could it be, a DXIF file with multiple passwords? That could be true soon. It could make things much harder. A wise-crack who licensed QuantumGrid can no longer unlock ExpressBars or maybe ExpressPrinters ;)
Custom Setups
The best thing that could ever happen to DevExpress/Build environment is to put the build environment on-demand. Then, start to break-up the package. For example, most customers who didn't license full version of DevExpress subscription probably will not need all files, except the cracker who wants to extract all files.
Calling Dr. Jones, Jones Calling Doctor Jones
Why not consider give DevExpress customers a nice phone call. Your reviewer DelphiHater will be thrilled to hear Amanda (from DevExpress) on phone discuss about Licensing or maybe as security check.
The next weakest link
The next weakest link is one password for whole DXIF archive. It needs to have multiple passwords. The only other vendor who have multiple passwords is Mathias/Madshi vendor whose Madshi.RAR file has multiple passwords in 1 RAR file, and only way to extract the contents is by having valid Key file.
The 3rd weakest link
Your reviewer thinks using AS-Protect, WinLicense to protect binaries will slow them down. Why not protect using Silicon Realms Armadillo, ASProtect, WinLicense? It would deter only the most hardened hacker to hack DevExpress.VCL.
The Dope of Embracing Illegal Software
The irony of being a hacker. Get recognized as a hero, respect and honour. Did anyone try hiring one, and find out, they are total idiots?
It takes 9 to 12 months to make an application. But most of these "hackers" are total idiots when it comes to hard work, making money, and earning decent living.
For example, let's take DevExpress.VCL, it costs US$1500 per developer, and annual subscription. If the hacker (being an idiot, btw) uses it for 5 years, someone will find out sooner or later most of the things are Warez and he'll get into trouble. If the application uses TMS/LMD/or ReportBuilder, it adds up to more and more costs. In the end, the hacker will still be a 1 person company/ or forever dependent on employment, but wait, since Delphi is dead, what jobs? (see next part)
The Delphi Hate-Love Affair
Your reviewer was looking at how much it costs to make ExpressBars, or QuantumGrid. It could cost US$200,000 in development costs. Somebody has to pay for it. If more people buy DevExpress products, that means lower costs, more innovation. but it's opposite, now to buy DevExpress costs more money and only for bug-fixing, very slow new product development.
If you log into DevExpress private newsgroups, you can see Julian Bucknall lament about poor sales, how NET version of their products saved the day. That also means, many newer features found in Silverlight, their C# version won't be in VCL version anytime soon...
Delphi Revival, what revival?
That also means, while Embarcardero, DevExpress and other companies are hoping for turn around of fortunes..
Your reviewer should say, there is no hope in Delphi, if you sell to developers, you sell to an extremely limited market, and if you do not make prices very high, you lose on mass-piracy. That means less and less people will want to buy "original" and everyone loses. If everyone loses, that means, Delphi is dead, everyone will migrate to C#/SilverLight/PHP to save costs.
(disclaimer:
DelphiHater loves WaveMaker, PHP and DoJo, the US$0 solution.)
Brave things to do...
(disclaimer: from a post your reviewer saw before it was deleted)
- The crackers/hackers cannot even KeyGenn DevExpress.VCL
- There are no proper working crack for Addin-Express
- Most of the things released are cracked garbage
(ahh, the Dope of Embrace ;))
- Most expensive software, like BrickSoft, Addin-Express, Gnostice PDF subscription
with sources will never get keygenned or full-source-code release.
funny
Did you know?
- Members of DevExpress team read this.
There are an estimated 20,000 Delphi users using DevExpress.VCL illegally. That would translate to +/- US$20,000,000 in lost sales. If every Delphi developer licensed original software, it would translate into more jobs, higher salaries for existing Delphi developers. What happened? with massive piracy, this cuts Delphi's future. The future is here, there are few (or no) jobs, no money, nothing.
No comments:
Post a Comment